The MITRE Corporation has released an updated Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list to reflect the latest changes in the threat landscape.
Cross-site scripting (XSS) vulnerabilities kept the top spot in the list, followed by SQL injection and cross-site request forgery (CSRF), each up one position from last year.
Missing authorization landed fourth in the 2025 CWE Top 25 list, up five positions. Out-of-bounds write placed fifth, dropping two places.
The top 10 also includes path traversal, use-after-free, out-of-bounds read, OS command injection, and code injection vulnerabilities.
There are six new entries in the Top 25 this year, including four CWEs that were not ranked in the list’s previous installments.
These include three buffer overflow weaknesses (classic on 11, stack-based on 14, and heap-based on 16), improper access control on 19, authorization bypass through user-controlled key on 24, and allocation of resources without limits or throttling on 25.
Improper privilege management, integer overflow or wraparound, improper authentication, uncontrolled resource consumption, use of hardcoded credentials, and improper restriction of operations within the bounds of a memory buffer dropped from the CWE Top 25 list.
These changes were influenced by how previous Top 25 calculations were handled and sharply reduced mappings. MITRE has published details on how the 2025 list was compiled on the methodology page.
According to the US cybersecurity agency CISA, the 2025 CWE Top 25 is meant to support vulnerability reduction, drive cost efficiency, improve customer and stakeholder trust, and promote customer awareness.
CISA recommends that software makers review the list and incorporate Secure by Design practices in product development and that security teams incorporate the list into vulnerability management and application security testing.
The Top 25 list should also be used, alongside Secure by Design guidelines, for benchmarking when evaluating vendors, to ensure investment in secure products.
Related: Two New Web Application Risk Categories Added to OWASP Top 10
Related: Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be Exploited
Related: MITRE Updates List of Most Common Hardware Weaknesses
Related: Google DeepMind Unveils Framework to Exploit AI’s Cyber Weaknesses
